After the discovery of Spectre and Meltdown processor vulnerabilities earlier last year that put practically every computer in the world at risk, different classes of Spectre and Meltdown variations surfaced again and again.
Now, a team of security researchers from multiple universities and security firms has discovered different but more dangerous speculative execution side-channel vulnerabilities in Intel CPUs.
The newly discovered flaws could allow attackers to directly steal user-level, as well as system-level secrets from CPU buffers, including user keys, passwords, and disk encryption keys.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.
Dubbed Microarchitectural Data Sampling (MDS attacks), the newest class of vulnerabilities consist of four different flaws, which, unlike existing attacks that leak data stored in CPU caches, can leak arbitrary in-flight data from CPU-internal buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.
"The new vulnerabilities can be used by motivated hackers to leak privileged information data from an area of the memory that hardware safeguards deem off-limits. It can be weaponized in highly targeted attacks that would normally require system-wide privileges or deep subversion of the operating system," BitDefender told The Hacker New.
Here's the list of vulnerabilities derive from the newest MDS speculative execution in Intel processors:
- CVE-2018-12126—Microarchitectural Store Buffer Data Sampling (MSBDS), also known as Fallout attack.
- CVE-2018-12130—Microarchitectural Fill Buffer Data Sampling (MFBDS), also known as Zombieload, or RIDL (Rogue In-Flight Data Load).
- CVE-2018-12127—Microarchitectural Load Port Data Sampling (MLPDS), also part of RIDL class of attacks.
- CVE-2019-11091—Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.
The Fallout attack is a new transient execution attack that could allow unprivileged user processes to steal information from a previously unexplored microarchitectural component called Store Buffers.
The attack can be used to read data that the operating system recently wrote and also helps to figure out the memory position of the operating system that could be exploited with other attacks.
In their proof-of-concept attack, researchers showed how Fallout could be used to break Kernel Address Space Layout Randomization (KASLR), and leak sensitive data written to memory by the operating system kernel.
ZombieLoad attack affects a wide range of desktops, laptops, and cloud computers with Intel processor generations released from 2011 onwards. It can be used to read data that is recently accessed or accessed in parallel on the same processor core.
The ZombieLoad attack does not only work on personal computers to leak information from other applications and the operating system but can also be exploited on virtual machines running in the cloud with common hardware.
"ZombieLoad is furthermore not limited to native code execution, but also works across virtualization boundaries. Hence, virtual machines can attack not only the hypervisor but also different virtual machines running on a sibling logical core," researchers explain.
"We conclude that disabling hyperthreading, in addition to flushing several microarchitectural states during context switches, is the only possible workaround to prevent this extremely powerful attack."
Researchers even made available a tool for Windows and Linux users to test their systems against RIDL and Fallout attacks as well as other speculative execution flaws.
Researchers tested their proof-of-concept exploits against Intel Ivy Bridge, Haswell, Skylake and Kaby Lake microarchitectures as shown in the video demonstrations.
Academics have discovered the MDS vulnerabilities from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle.
Multiple researchers independently reported Intel of the MSD vulnerabilities starting June 2018, but the Chip giant had asked all the researchers to keep their findings secret, some for more than a year, until the company could come out with fixes for the vulnerabilities.
Intel has now released Microcode Updates (MCU) updates to fix the MDS vulnerabilities in both hardware and software by clearing all data from buffers whenever the CPU crosses a security boundary so that the data can't be leaked or stolen.
Every operating system, virtualization vendor, and other software makers are highly recommended to implement the patch as soon as possible.
AMD and ARM chips are not vulnerable to the MDS attacks, and Intel says that some models of its chip already include hardware mitigations against this flaw.
Apple says it released a fix to address the vulnerability in the macOS Mojave 10.14.5 and Safari updates that were released yesterday.
Microsoft has also released software updates to help mitigate the MDS vulnerabilities. In some cases, the company says installing the updates will have a performance impact.